Backup and restoration of drm security data

ABSTRACT

The present invention provides for a method of security data restoration for a user device for back-up purposes in which the said security data can be restored through the interaction of a first and at least a second portion of data, including the steps of storing the first portion of data on a storage medium remote from the device, writing the at least second portion of data to wireless storage means, and, when restoration is required, communicating the at least second portion of data from the wireless storage means to the said storage medium so as to allow for the interaction of the first and the at least second portion of data.

The present invention relates to a secure data handling system andrelated method and apparatus which allows for the recreation of securitydata to allow for the backing-up there of.

Digital data is becoming ever more widely employed as a format for thestorage, transmission and recreation of a wide variety of mediaincluding audio, video and all forms of electronic data. In somecircumstances, for example when handling digital data representing mediaof high value, or comprising features the access to which should belimited to predetermined parties, it is common to add a security layerto the handling of the data so as to prevent access to the data byunauthorised parties which can assist in preventing unauthorised copingetc.

Such Digital Rights Management (DRM) systems can be provided for devicesarranged for handling digital data and more increasingly, to smallmobile devices such as Personal Digital Assistants (PDAs) and mobileradio communication devices such as cellular phones.

A common means of achieving the required level of security is throughthe employment of encryption technology and in particular cryptographickeys.

With such known systems, two forms of keys are generally produced, apublic key and a private key and the systems are arranged such that thepublic key can be known by any party. However, the private key, whileavailable for use only by an authorised party receiving the data,generally remains inaccessible and undisclosed.

The present invention can be incorporated within any secret-sharingscheme, such as for example that employing cryptographic keys and in anadvantageously simple fashion so as to allow for the ready back-up ofthe cryptographic key information in a simple and relativelycost-effective manner and without prejudicing the security offered bythe system.

As noted above, cryptographic keys are commonly used to allow for thesecure storing of digital contents such as audio, video, electronicbooks etc., which are commonly purchased by a user from an on-linecontent sales facility.

To allow for the adequately controlled purchase of the content by theuser, the content is generally stored in an encrypted form on anappropriate storage medium of the user, and so as to prevent such storedobjects being useful if copied to a third party.

In accordance with the overall content security arrangement, some keyinformation will be stored, in a buried fashion, within a domain of theuser's device which is itself inaccessible to the user and which servesto prevent that user from attempting to decrypt the content otherwisethan for authorised use.

Such buried key information can also only be accessed dynamically whenthe content is decrypted at the time of legitimate use.

In view of the high value of such digital data content, the user maywell have invested considerable financial outlay in obtaining suchcontent and the value of this content is dependent upon the user'sability to access, and use the content as and when required. In turn,the value is dependent upon the continued availability of the buried keyinformation.

If the device containing the buried keys—for example, a smartcard—or asecured storage area within any semiconductor conducted device, suffersa failure which renders the buried key information inaccessible, thenthe user has lost the ability to decrypt, and therefore use, the contentin respect of which he has already invested potentially high financialoutlay.

Back-up systems are known which serve to allow for the recovery of thecryptographic key information should the user for some reason lose theability to access the required key information.

Such back-up systems generally use known secret-sharing techniques,which in turn generally require the use of a trusted third party tostore one portion of the security data, which will only be useful inrecreating the cryptographic key information, upon receiving a secondportion of security data which is held by the authorised user.

When implementing current secret-sharing schemes on, for example, aconsumer electronics device, product designers face problems in relationto the recording of the user's share of the security data. Typically,the user's share of this security information comprises a large numberor a long bit string, and which needs to be recorded accurately by theuser for future key-restoration purposes. Furthermore, this large numberor bit string should not be stored within the product itself, to avoidthe possibility that failure of the product might then also obliteratethe user's share of that security data.

Known arrangements provide for the presentation of the user's share ofthe security information on a display device and which arrangements theninstruct the user to record the information manually, for example, on aseparate reading such as paper. However, as noted above, the user'sshare can typically comprise a large number or bit string which can beof the extent of several hundred bits of information and so such anapproach is found to be tedious by the user and of course iserror-prone.

Alternative schemes allow for the user's share of the security data tobe stored in a removable part of the device, for example a non-volatilestorage element. However, restrictions arise insofar as if such adetachable element forms a functional part of the product itself, it islikely to suffer the same failure as could be suffered by the product.

According to a first aspect of the present invention there is provided amethod of security data restoration for a user device for back-uppurposes in which the said security data can be restored through theinteraction of a first and at least a second portion of data, includingthe steps of storing the first portion of data on a storage mediumremote from the device, writing the at least second portion of data towireless storage means, and, when restoration is required, communicatingthe at least second portion of data from the wireless storage means tothe said storage medium so as to allow for the interaction of the firstand the at least second portion of data.

Advantageously, the use of a wireless storage means allows for a secure,reliable and low-cost solution to the secret sharing problem encounteredin the prior-art and comprises one which requires little, or no, userintervention.

The reliability of the method is also not prejudiced by any devicefailures that might be experienced.

Preferably the security device comprises encryption data and, inparticular, can comprise cryptographic key data such as data relating tothe private key of a RSA public/private keypair.

The invention can be incorporated for use within a mobile device such asa mobile radio communications device and the wireless storage deviceadvantageously comprises a near field communications device.

According to another aspect of the present invention there is provided asecurity data restoration system for a user device for backup purposesin which the said security data can be restored through the interactionof a first portion and at least a second portion of data, the systemcomprising a storage medium arranged for storing the first portion ofdata remote from the device, wireless storage means arranged forreceiving the at least second portion of data and the system beingarranged such that, when restoration is required, the at least secondportion of data within the wireless storage means can be communicated tothe said storage medium so as to allow for the interaction of the firstand the at least second portion of data.

The system can advantageously be arranged to operate in accordance withthe method steps noted above.

According to a further aspect of the present invention there is provideda method of backing-up security data of a user device and comprising thestep of writing a first portion of security data to writable wirelessstorage means for subsequent retrieval and use in a backup procedure.

In accordance with yet another aspect of the present invention there isprovided a back up device for the storage of security data derived froma user device and for subsequent use in recreating security data withinthe device, and comprising a wireless writable storage device.

The prevent invention seeks to provide for a security data system andrelated method and apparatus having advantages over known such systems,methods and apparatus.

As will be appreciated, the present invention advantageously providesfor the use of a writable storage device employing near-fieldcommunications technology for the back up of security-critical data suchas cryptographic key data. Secret sharing techniques are employed toensure that the keys can only be restored by collaboration between theoriginal holder of the lost key and a trusted third party authority. Theuse of low cost storage cards employing near-field communicationstechnology allows the cryptographic key backup to be performed securelyand with little, or no, user intervention.

It will be appreciated that the invention is suitable for backing-upkeys used to secure content downloaded according to a variety ofprotocols and specifications, for example the Open Mobile Alliance (OMA)DRM version 2 specification.

The invention is described further hereinafter, by way of example only,with reference to the accompanying drawing which is a schematic blockdiagram of a mobile device arranged in accordance with the presentinvention.

Turning now to the drawing, there is illustrated a mobile device such asa cell phone 10 and which is arranged for the generation, and storing ofcryptographic key information so as to access secure content transmittedthereto and for which the user of the device 10 may well have made asubstantial financial outlay.

It is important therefore to allow the user to recreate, in a securedfashion, the cryptographic information it originally held within thedevice 10 should the data for some reason become inaccessible or lost.

The illustrated embodiment relates to the backing-up of one or more keysused to store content required according to DRM specifications such asthose outlined by way of the OMA. According to such specific methods,mobile devices are equipped with a so-called DRM agent which is afunction provided to allow for the procurement of digital rights so asto reproduce, or otherwise use, downloaded content. Such rights arestored as so-called Rights Objects and critical parts of these RightsObjects are encrypted for the use of a given DRM agent using, forexample, its given (Rivest Shamir Adelman) RSA public key. Thecorresponding RSA private key is required to access such rights andsubsequently the content, being held by the user.

The illustrated embodiment is based upon a device which uses a RSApublic/private key pair for the cryptographic handling of data.

As illustrated, in accordance with the illustrated embodiment, thedevice 10 is associated with a near-field communications card 12 which,in a wireless fashion is arranged to receive by induction both its powerand required data from the device 10.

Internal to the device 10 is a secured domain 14 within which thepublic/private keypair is created and within which the private key issecured in such a way that it is unknown to all parties, including theowner/user of the device 10. This ensures that the device containingthis private key cannot itself be cloned and so enhances the securityoffered by the public/private key pair. The private key can only beexploited by writing data into the secured domain 14, which providesdigital signing and decryption operations. Computations are performedonly within the secured domain 14 and the results are then read-outwithout the private key itself becoming exposed.

The creation of a RSA private key requires two specific functions. Firsta random number generator 16 is required to define candidate numbers aspotential prime factors p and q of the RSA public modulus n, andsubsequent to the generation, a function to test these candidate numbersfor primality. Knowledge of either of the prime factors p or q, inconjunction with the public modulus n proves to be sufficient for thereconstruction of the private key.

The present invention advantageously employs the random number generator16 so as to allow for a simple secret-sharing scheme which allows thebacking-up of the key data.

In accordance with this embodiment of the present invention, once thepublic/private keypair creation process has been completed, the twoprime factors p and q are known within the secured domain 16 whilst thepublic modulus n formed in the multiplier 18 is available outside of thesecured domain 14.

In general, it is appreciated that the value n is chosen to be a numberof a specific size, for example 1024 bits. In this manner, a simplesecret sharing scheme can be implemented through the generation of anadditional random number r within the random number generator 16 andwhich is of a bit-length half of that of the bit length of the publicmodulus n, i.e. in this example 512 bits. It will be appreciated, thecreation of this random number r is performed within the secured domain14.

Since it can be ensured that a minimum value of (p,q) which is definedat block 20 as s cannot have a bit-length greater than 512 bits, then itwill be readily appreciated that an exclusive OR operation of the valuesof s and r will have a bit-length of exactly 512 bits. If necessary, thebit string representing s can be prepended with zeros in order to extendits length to 512 bits.

Importantly, it should be appreciated that a knowledge of the bitsarising from the exclusive OR operation of the values of s and r conveysno information about either s or r, and even the bit-length of s isconcealed.

In accordance with the present invention, the values of s and r aresubject to an exclusive OR operation at block 22 and the resultdelivered to a near field communications writer 24 for writing, in awireless fashion, to the near field communications card 12.

As will be appreciated, the illustrated embodiment of the presentinvention provides for an example of a secret-sharing scheme allowingfor the secure recreation of cryptographic key data and, in thisillustrated embodiment, the secret shared between the user device 10 anda remote so-called trusted authority, is the value s.

The trusted authority with whom one share of the secret s is lodged hasbeen assumed not to collude with the user of the device 10 toreconstruct the private key in an unauthorised manner. Such a trustedauthority is also assumed to have its own public/private keypair, thepublic key of which, if necessary, being certified by an even highersecurity authority.

Also, it is assumed that the trusted authority checks to ensure that therequirements which must be met before the key recovery can be performedare satisfied.

By reference to the accompanying drawing, it should be appreciated thatthe secret sharing operation is completed as follows.

First, the random number r generated within the random number generator16 is encrypted using the public key of the trusted authority. Such anencryption operation is performed inside the secured domain 14 of thedevice 10 within the encryption block 26 so that only the encryptedresult T is visible to the user, and indeed a third party. Thisencrypted result T is then delivered to the trusted authority.

As mentioned previously, the result of the exclusive OR operationbetween the values of s and r is then delivered in a wireless manner tothe write-once near-field communications card 12 and the user instructedto keep the card in a safe place for retrieval and use when key-datareconstruction is required.

In an event that such key reconstruction is required, for example inorder to recover content after a device failure, the user need simplypresent the card 12 to the trusted authority which authority is thenable to read directly the result of the exclusive OR operation of thevalues s and r.

Also, through the use of its private key, the trusted authority candecrypt the message T comprising the encrypted version of r that itreceived when the secret sharing operation was performed and so, throughthe recovery of the value of r, and by means of a simple exclusive ORoperation with the data stored on the near field communications card 12,the value of s can then be recovered.

The recovery of s then permits the reconstruction of the private keyinformation and so the recovery of any information stored under thatprivate key.

Of course, any private key, or secret secured data can be shared in anappropriate manner by the same technique as discussed above andregardless of the bit-length of the data. Thus, the invention is equallyapplicable for example to elliptic curve cryptosystem private keyinformation or indeed symmetric cipher key information. Of course,other, and more sophisticated, secret sharing schemes can be employed ifrequired, the key feature of the invention being the use of thenear-field communications card in the secret sharing scheme.

It should of course be appreciated that, mathematically, it is arbitrarywhether the trusted authority receives r or the result of the exclusiveOR operation, so long as one is received and the other is stored on thenear-field communications device. Providing r to the trusted authorityin this example however is considered advantageous since the number sentto the trusted authority then has no meaningful relationship with thekey information. Also, the user is then protected against weakness inthe random number generation.

As will be appreciated, the invention can advantageously be applied tothird generation mobile cell phones and multimedia devices which areintended to receive audio, video and executable content targeted at aspecific recipient. This recipient will generally be identified by aninternal DRM agent function which has its own public/private key pairsto facilitate reception of rights information.

Other devices that could benefit from such a low-cost buried key back-upscheme as that presented by the present invention includes smart cards,where the smart card acts a root key carrier for storage, trustedcomputing devices according to the specifications of the TrustedComputing Group (TCG) wherein an embedded trusted platform mode (TPM)contains a buried RSA private key, and personal identity systems such aselectronic passports and driving licenses, where the ability to produceevidence of previous ownership of a buried secret may serve tofacilitate the process of re-issuing new identity tokens in the event ofloss or damage to the original.

The invention is not restricted to the details of the foregoingembodiment. For example the secret sharing need not only be deployedacross two parties. Through an appropriate choice of mathematicalscheme, it is possible to devise sharing schemes in which more than twoshares are distributed between a corresponding number of parties, andfurthermore in which optionally not all shares are required forreconstruction. For example any four shares from seven may be used. Theessence of the invention is of course the storing of the user's share(s)on the NFC card.

As will therefore be appreciated, the present invention provides for theuse of an extremely low cost write-once device employing near-fieldcommunications technology for the storage of a user's share of securitydata within a secret sharing scheme. As noted, such cards require andcontain only a small chip which receives both data and power by magneticinduction and so comprise extremely cost-effective media for the storageof the user's share of the secret.

In its most general sense, it will be appreciated that the presentinvention allows for the sharing of a secret, for data-security accesspurposes, between a user and a trusted authority whereby the secret datacan only be reconstructed by collaboration between the user and thetrusted authority, and wherein the recording of the user's share of thatsecret is easily, reliably and cost-effectively integrated within asimple electronic storage device.

1. A method of security data restoration for a user device for back-uppurposes in which the said security data can be restored through theinteraction of a first and at least a second portion of data, includingthe steps of storing the first portion of data on a storage mediumremote from the device, writing the at least second portion of data towireless storage means, and, when restoration is required, communicatingthe at least second portion of data from the wireless storage means tothe said storage medium so as to allow for the interaction of the firstand the at least second portion of data.
 2. A method as claimed in claim1, wherein the security data comprises encryption data.
 3. A method asclaimed in claim 2, wherein the encryption data comprises cryptographickey data.
 4. A method as claimed in claim 1, wherein the user devicecomprises a mobile device.
 5. A method as claimed in claim 4, whereinthe mobile device comprises a mobile radio communications device.
 6. Amethod as claimed in claim 1, wherein the said storage medium comprisesa trusted authority for the secure storage of the said first portion ofdata.
 7. A method as claimed in claim 1, wherein the said wirelessstorage means comprises at least one near-field communications device.8. A method as claimed in claim 1, wherein a plurality of said secondportions of data are required for the restoration of the security data.9. Security data restoration system for a user device for backuppurposes in which the said security data can be restored through theinteraction of a first portion and at least a second portion of data,the system comprising a storage medium arranged for storing the firstportion of data remote from the device, wireless storage means arrangedfor receiving the at least second portion of data and the system beingarranged such that, when restoration is required, the at least secondportion of data within the wireless storage means can be communicated tothe said storage medium so as to allow for the interaction of the firstand the at least second portion of data.
 10. A system as claimed inclaim 9, wherein the security data comprises encryption data.
 11. Asystem as claimed in claim 10, wherein the encryption data comprisescryptographic key data.
 12. A system as claimed in claim 9, wherein theuser device comprises a mobile device.
 13. A system as claimed in claim12, wherein the mobile device comprises a mobile radio communicationsdevice.
 14. A system as claimed in claim 1, wherein the said storagemedium comprises a trusted authority for the secure storage of the saidfirst portion of data.
 15. A system as claimed in claim 1, wherein thewireless storage means comprises at least one near-field communicationsdevice.
 16. A system as claimed in claim 9, wherein a plurality of saidsecond portions of data are required for the restoration of the securitydata.
 17. A method of backing-up security data of a user device andcomprising the step of writing a first portion of security data towritable wireless storage means for subsequent retrieval and use in abackup procedure.
 18. A method as claimed in claim 17, wherein thewireless writable storage means comprises at least one near-fieldcommunications device.
 19. A back up device for the storage of securitydata derived from a user device and for subsequent use in recreatingsecurity data within the device, and comprising a wireless writablestorage device.
 20. A device as claimed in claim 19 and comprising anear field communications device.
 21. A method of security datarestoration substantially as hereinbefore described and with referenceto the accompanying drawing.
 22. A security data restoration systemsubstantially as hereinbefore described with reference to, and asillustrated in, the accompanying drawing.
 23. A backup method for a userdevice substantially as hereinbefore described with reference to theaccompanying drawing.
 24. A backup device substantially as hereinbeforedescribed with reference to, and as illustrated in, the accompanyingdrawing.